Security
Built for the trust requirements
of academic publishing.
Publishers, libraries, and universities depend on ZenPub for content that matters. Here is how we protect it — at the infrastructure, application, and data layer.
Compliance & certifications
Standards we comply with
COUNTER 5.1
CompliantTR, DR, IR, PR reports + SUSHI R5.1 API
GDPR
CompliantDPA available; SCCs Module 2 for international transfers
WCAG 2.2 AA
CompliantAccessible reading interface and admin panel
Readium LCP
CompliantEDRLab-standard EPUB DRM implementation
SOC 2 Type II
In progressAudit scheduled for Q4 2026
ISO 27001
RoadmapPlanned following SOC 2 completion (2027)
Platform security
Security from the database layer up
Tenant isolation
- PostgreSQL row-level security (RLS) — every query is scoped to the requesting tenant's organisation ID at the database layer, not the application layer
- Separate S3 key prefixes per tenant with signed URLs that expire in 15 minutes — cross-tenant content access is architecturally impossible
- Tenant slug validation on every API request via middleware before any controller logic runs
Authentication & access control
- JWT tokens with short expiry (15 min access / 7 day refresh) using a stable production secret
- Timing-safe token comparison (Node.js crypto.timingSafeEqual) to prevent timing side-channel attacks
- Role-based access control enforced at both controller and guard level — admin, editor, and viewer roles
- SSO/SAML 2.0 and IP-range authentication for institutional access, with per-collection access rules
- Sitewide rate limiting via NestJS ThrottlerGuard; contact form limited to 3 requests per 60 seconds
Content protection (DRM)
- LCP (Lightweight Content Protection) DRM for all EPUB files — industry standard for ebook distribution
- EC P-256 private key for LCP license signing, stored as a stable environment secret (never ephemeral in production)
- Signed, time-limited S3 URLs for PDF delivery — direct S3 access is disabled
- Content streamed directly from CDN edge — Zentrovia infrastructure is never a bottleneck in the read path
Data security
- Encryption at rest: AES-256 on all S3 objects and database volumes
- Encryption in transit: TLS 1.2+ enforced on all connections
- Sensitive credentials (API keys, service account JSONs) stored encrypted in the database
- COUNTER 5.1 access logs are aggregated and anonymised at the user level — no identifiable reading history retained beyond 90 days without explicit consent
- Patron annotations and bookmarks are private to the individual user by default
Infrastructure
- Hosted on AWS (primary) and Railway/Vercel for application layer — all within major cloud providers with SOC 2 Type II certification
- Database backups taken daily with 30-day retention
- Automated dependency scanning via Dependabot on all repositories
- Production environment variables are never committed to source control
- Security patches applied within 24 hours of critical CVE disclosures
Input validation & web security
- All HTML email templates use explicit escaping to prevent XSS injection via user-supplied fields
- SMTP header injection prevented by stripping newline characters from all email header fields
- SQL injection prevented by TypeORM parameterised queries throughout
- File upload validation: MIME type allowlist, 5 MB cap on branding assets, content-type verification
- CORS configured to explicit origin allowlist — no wildcard origins in production
Penetration testing
Independent security testing, semi-annually
Data residency
Choose where your data lives
All regions use AWS infrastructure. Region selection is available on Enterprise plan.
European Union
AWS eu-west-1 (Ireland) — data does not leave the EU by default for EU customers
United Kingdom
AWS eu-west-2 (London) — available on Enterprise plan
India
AWS ap-south-1 (Mumbai) — available on Enterprise plan
United States
AWS us-east-1 (N. Virginia) — default region for US customers
Custom region
On requestOther AWS regions available for Enterprise customers on request
Enterprise procurement
We support enterprise and institutional procurement processes including security questionnaires, vendor risk assessments, DPA countersignatures, and custom NDA agreements.
- ✓Security questionnaire responses (CAIQ, SIG, bespoke)
- ✓Signed DPA available within 5 business days
- ✓Pen test reports under NDA
- ✓Sub-processor list with security credentials
- ✓Business Associate Agreement (BAA) for HIPAA contexts
- ✓Cyber insurance certificate on request
Responsible disclosure
We take security reports seriously. If you discover a vulnerability in the ZenPub platform, please report it privately before disclosing publicly. We commit to acknowledging receipt within 24 hours and providing a fix timeline within 72 hours for critical issues. We do not pursue legal action against good-faith researchers.
Report a vulnerability
security@zentrovia.techInclude steps to reproduce, affected components, and potential impact.